Hi,
I'm working on implementing a security model for some of our REST/JAX-RS services. The basic goal is to allow/disallow certain
REST actions based on remote user, api endpoint, and endpoint parameters. For example, a user might have the right roles to
perform a certain action, but they are restricted to performing the action against only certain objects.
I've looked at implementing a custom request handler, and a little at Spring Security. The Spring Security authorization model
seems like it might work, but will require a lot of effort to integrate with our SSO system, and have to build out an
authorization system from scratch.
A custom request handler (RequestHandler extension) might do. You can get an
access to an actual resource
object which is about to be invoked upon, name of the operation, http method, etc...Let me now if you'd lke to get more details on
how to retrieve the resource class instance...
Are there any best practices or other examples for JAX-RS security in this type
of model?
We have failrly straigtforward Spring Security system tests. But given the list of requirement you described above, implementing a
custom
RequestHandler might be the easiest option, you can delegate to the external
SSO, block the request or let it go...
Cheers, Sergey
-Greg
